Google的oauth2范围是否有深入研究? [英] is there a deep dive on google's oauth2 scopes?

问题描述

我正在寻找有关Google使用oauth范围的一些深入的详细信息

I'm looking for some deep down detailed information on google's use of oauth scopes

我的云端硬盘应用正在运行，因此我可以简单地使用范围.但是，我有以下详细的问题/问题.

My Drive app is working, so I get the simple use of scopes. However I have the following detailed questions/issues..

1. 我两次指定范围.一次进入我的应用程序，然后进入API 安慰.这两个范围的分别意义是什么 声明?
2. 如果我删除范围，我的用户必须重新授权我的应用程序吗? 仅需要添加其他范围?
3. 如果对2的回答是我无法静默删除范围"，则 Google图书馆会妥善处理重新授权用户的问题，或者 我会失败403吗?我已阅读应用程序应如何添加/删除现有授权的范围?，但是被接受的答案具体提到了添加范围，而我的问题是删除范围.
4. 我的应用程序中的不同模块可以请求不同范围吗? API控制台中指定的超集?解释一下，我的应用程序有3个 组件:访问Drive的Chrome扩展程序，使用 JS以访问云端硬盘和YouTube(在线模式)以及服务器 可以访问云端硬盘的组件(处于离线模式).
5. 我的应用可以.询问授予它的范围是什么?

1. I specify scopes twice. Once in my app and then also in the API Console. What is the respective significance of these two scope declarations?
2. If I remove scopes, must my user re-authorise my app, or is this only required for adding additional scopes?
3. If the answer to 2, is 'I can't silently remove scopes', will the Google libraries deal gracefully with re-authorising the user, or will I just get 403 failures? I've read How should an application add/remove scopes to an existing grant? but the accepted answer specifically references adding scopes, whereas my question is about removing scopes.
4. Can different modules within my app request different scopes within the superset specified in the API console? To explain, my app has 3 components: a chrome extension accessing Drive, a web client using JS to access Drive and YouTube (in online mode), and a server component which accesses Drive (in offline mode)..
5. Can my app. enquire what scopes it has been granted?

一个普遍的问题，我确定我会面临与许多应用作者相同的困境.如果我增加功能(因为它吸引了用户，这是一件好事)，那么我还需要增加用户在我的应用程序中放置的权限/信任(这是一件坏事，因为它排斥用户).是否有关于应用程序如何最好地处理这种利益冲突的建议?

A general question, I'm sure I face the same dilemma as many app authors. If I increase functionality (a good thing since it attracts users), I also need to increase permissions/trust a user places in my app (a bad thing since it repels users). Are there any recommendations on how apps should best handle this conflict of interests?

推荐答案

客户端代码中的作用域列表-这是用户授权您的应用执行的操作

List of scopes in your client code - this is what a user authorizes your app to do

当您请求用户授权时，您需要指定您希望用户同意的内容.这就是作用域列表的用途-它控制用户在授权您的应用程序时看到的文本，并且该授权所授予的刷新/访问令牌仅限于进行这些作用域所允许的API调用.

When you request authorization from a user, you need to specify what you would like the user to consent to. This is what the list of scopes is used for - it controls the text the user sees when they authorize your application, and the refresh / access tokens granted by that authorization are limited to making API calls that are allowed by those scopes.

API控制台中已启用服务的列表-这是您的应用授权用户执行的操作

List of enabled services in the API Console - this is what your app authorizes users to do

据我所知，API控制台中没有指定范围的列表.但是，这里列出了可以启用的Google服务.此处，启用/禁用服务更多是关于打开/关闭进行API调用，管理配额和/或接受与该API相关的服务条款的功能，而不是授权.

To my knowledge there is no list of scopes specified in the API Console. There is however a list of Google services that can enabled. Enabling/disabling a service here is more about turning on/off ability to make API calls and managing quota and/or accepting terms of service related to that API, than it is authorization.

调用API后-您发送访问令牌

访问令牌封装了发出请求的用户，该用户授权您的范围以及用于授权的客户端ID(这又属于您的项目).此时，您需要在项目上启用要发送API调用的服务，并为API请求提供正确的作用域-否则您将获得403.

The access token encapsulates the user making the request, the scopes the user authorized you for, and the client ID used for the authorization (which in turn belongs to your project). At this point you need to have the service that the API call is sent to enabled on the project, and the correct scope for the API request - or you will get a 403.

当您需要的范围列表更改时-您应该期望用户需要重新授权

When your list of required scopes changes - you should expect users to need to re-authorize

此时，您请求访问令牌(通常通过发送刷新令牌)，您需要为该请求做好准备，以使该请求不成功.可能是因为您添加了范围-但也许用户选择访问 https://accounts.google.com/IssuedAuthSubTokens ，并且已撤消您的应用程序访问权限.我不确定是否要求的范围比最初由用户授予的范围少会触发此操作，我将尝试进行测试-但是重点是，无论您的代码是否需要能够处理这种情况.我相信OAuth2DecoratorFromClientSecrets(来自链接的问题)将为您正常处理此操作，但不确定-验证起来应该很容易.

At the point you request an access token (typically by sending a refresh token) you need to be prepared for that request not to succeed. Maybe it's because you've added scopes - but maybe a user has chosen to visit https://accounts.google.com/IssuedAuthSubTokens and has revoked your applications access. I'm not sure whether if you request less scopes than was granted by the user initially will trigger this, I would experiment to test - but the point is that regardless your code needs to be able to handle this scenario. I believe the OAuth2DecoratorFromClientSecrets (from the linked question) will handle this gracefully for you but am not certain - it should be easy enough to verify.

在多个客户端上使用相同的授权-建议通读此文档，并查看它是否涵盖您的所有情况:

Using the same authorization across multiple clients - suggest reading through this doc and see if it covers all of your scenarios: https://developers.google.com/accounts/docs/CrossClientAuth

要查看授予访问令牌的范围-使用OAuth2 API: https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=yaxxxxxxxxxxxxxxx

To see scopes granted to an access token - use the OAuth2 API: https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=yaxxxxxxxxxxxxxxx

这篇关于Google的oauth2范围是否有深入研究?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！